Geoff Chappell - Software Analyst
Public symbol files for the kernel in Windows XP SP3 and Windows Server 2003 SP2 show that the LoggerMode in the WMI_LOGGER_CONTEXT was once defined in union with a WMI_LOGGER_MODE structure of ULONG bit fields:
| Mask | Definition | Versions |
|---|---|---|
| 0x00000001 |
ULONG SequentialFile : 1; |
5.0 to 5.2 |
| 0x00000002 |
ULONG CircularFile : 1; |
5.0 to 5.2 |
| 0x00000004 |
ULONG AppendFile : 1; |
5.1 to 5.2 |
ULONG Unused1 : 6; |
5.0 only | |
ULONG Unused1 : 5; |
5.1 to 5.2 | |
| 0x00000100 |
ULONG RealTime : 1; |
5.0 to 5.2 |
| 0x00000200 |
ULONG DelayOpenFile : 1; |
5.0 to 5.2 |
| 0x00000400 |
ULONG BufferOnly : 1; |
5.0 to 5.2 |
| 0x00000800 |
ULONG PrivateLogger : 1; |
5.0 to 5.2 |
| 0x00001000 |
ULONG AddHeader : 1; |
5.0 to 5.2 |
| 0x00002000 |
ULONG UseExisting : 1; |
5.1 to 5.2 |
| 0x00004000 |
ULONG UseGlobalSequence : 1; |
5.1 to 5.2 |
| 0x00008000 |
ULONG UseLocalSequence : 1; |
5.1 to 5.2 |
ULONG Unused2 : 16; |
5.1 to 5.2 |
The symbol files show that this stopped for version 6.0. When it began is an open question. That it was established for all builds of versions 5.1 and 5.2 must be almost certain. The suggestion is strong that it dates from version 5.0. See especially that PrivateLogger is defined for the kernel’s symbol files even though it is not known to the kernel. It is, however, meaningful to the user-mode implementation right from the start. Though the two implementations, kernel-mode and user-mode, soon diverged, their WMI_LOGGER_CONTEXT structures very plainly had a common origin for version 5.0, and it is here thought that they had the WMI_LOGGER_MODE in common too.
On the other hand, the WMI_LOGGER_MODE can’t have been more than peripheral to the programming even in the versions for which its definition is certain. See in particular the uneven definition of flags for version 5.1: EVENT_TRACE_FILE_MODE_APPEND becomes AppendFile, presumably narrowing what had been left as Unused1, but no bit field is defined for what was then the similarly new EVENT_TRACE_FILE_MODE_NEWFILE.
It is perhaps as well to collect here the various bits that represent the wide variety of possible logger modes, as kept in the LoggerMode member of the kernel-mode WMI_LOGGER_CONTEXT. Some are documented, and are defined as macros in EVNTRACE.H, but Microsoft’s names for some are known only from the NTWMI.H header which Microsoft published in the Enterprise edition of the Windows Driver Kit (WDK) for Windows 10 version 1511. The reckoning of which flags are supported in which versions is in preparation: do not rely on it.
| Value | Name | Versions | Kernel-Mode Constraints |
|---|---|---|---|
| 0x00000001 | EVENT_TRACE_FILE_MODE_SEQUENTIAL | 5.0 and higher | invalid with EVENT_TRACE_FILE_MODE_CIRCULAR |
| 0x00000002 | EVENT_TRACE_FILE_MODE_CIRCULAR | 5.0 and higher | invalid with EVENT_TRACE_FILE_MODE_SEQUENTIAL |
| 5.1 and higher | invalid with EVENT_TRACE_FILE_MODE_APPEND | ||
| 0x00000004 | EVENT_TRACE_FILE_MODE_APPEND | 5.1 and higher | invalid with EVENT_TRACE_FILE_MODE_CIRCULAR |
| 0x00000008 | EVENT_TRACE_FILE_MODE_NEWFILE | 5.1 and higher | |
| 0x00000010 | unknown | 5.2 only | but not defined for 5.2 DDK |
| EVENT_TRACE_USE_MS_FLUSH_TIMER | 6.1 and higher | ||
| 0x00000020 | EVENT_TRACE_FILE_MODE_PREALLOCATE | 5.1 and higher | |
| 0x00000040 | EVENT_TRACE_NONSTOPPABLE_MODE | 6.0 and higher | |
| 0x00000080 | EVENT_TRACE_SECURE_MODE | 6.0 and higher | |
| 0x00000100 | EVENT_TRACE_REAL_TIME_MODE | 5.0 and higher | |
| 0x00000200 | EVENT_TRACE_DELAY_OPEN_FILE_MODE | 5.0 only | requires LogFileName |
| 5.1 and higher | |||
| 6.1 and higher | ignored (but see note) | ||
| 0x00000400 | EVENT_TRACE_BUFFERING_MODE | 5.0 and higher | |
| 0x00000800 | EVENT_TRACE_PRIVATE_LOGGER_MODE | user-mode only | |
| 0x00001000 | EVENT_TRACE_ADD_HEADER_MODE | 5.0 only | |
| 6.1 and higher | mostly ignored | ||
| 0x00002000 | EVENT_TRACE_USE_KBYTES_FOR_SIZE | 5.2 and higher | but not defined for 5.2 DDK |
| 0x00004000 | EVENT_TRACE_USE_GLOBAL_SEQUENCE | 5.1 and higher | invalid with EVENT_TRACE_USE_LOCAL_SEQUENCE |
| 0x00008000 | EVENT_TRACE_USE_LOCAL_SEQUENCE | 5.1 and higher | invalid with EVENT_TRACE_USE_GLOBAL_SEQUENCE |
| 0x00010000 | EVENT_TRACE_RELOG_MODE | user-mode only | |
| 0x00020000 | EVENT_TRACE_PRIVATE_IN_PROC | user-mode only | |
| 0x00040000 | EVENT_TRACE_BUFFER_INTERFACE_MODE | 6.1 and higher | |
| 0x00080000 | EVENT_TRACE_KD_FILTER_MODE | 5.1 and higher | but not defined for 5.1 DDK |
| 0x00100000 | EVENT_TRACE_REALTIME_RELOG_MODE | 6.0 and higher | |
| 6.1 and higher | mostly ignored | ||
| 0x00200000 | EVENT_TRACE_LOST_EVENTS_DEBUG_MODE | 6.2 and higher | |
| 0x00400000 | EVENT_TRACE_STOP_ON_HYBRID_SHUTDOWN | 6.2 and higher | |
| 0x00800000 | EVENT_TRACE_PERSIST_ON_HYBRID_SHUTDOWN | 6.2 and higher | |
| 0x01000000 | EVENT_TRACE_USE_PAGED_MEMORY | 5.1 and higher | |
| 0x02000000 | EVENT_TRACE_SYSTEM_LOGGER_MODE | 6.2 and higher | |
| 0x04000000 | EVENT_TRACE_COMPRESSED_MODE | 6.2 and higher | invalid |
| 0x08000000 | EVENT_TRACE_INDEPENDENT_SESSION_MODE | 6.3 and higher | |
| 0x10000000 | EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING | 6.1 and higher | |
| 0x20000000 | EVENT_TRACE_BLOCKING_MODE | ||
| 0x40000000 | apparently unused | ||
| 0x80000000 | EVENT_TRACE_ADDTO_TRIAGE_DUMP | 6.2 and higher |
Very many combinations of these bits are invalid. Some bits are not known to the kernel but are instead vital to the separate NTDLL implementation that lets user-mode processes do their own event tracing.